dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
77000
user2008
join:2005-08-01
Canada

user2008

Member

PPTP/L2TP ports to forward

I have a VPN server sitting behind a NAT [S2K3]. It's running L2TP/IPSec and PPTP. I'd just like to double check that to enable users to connect to the VPN, I have to port forward :
TCP/1723 + IP/47 [GRE] for PPTP
UDP/500 [IKE] + IP/50 [ESP] for L2TP

Thanks.
rjs1003
join:2002-12-04
united kingd

rjs1003

Member

Your PPTP port/protocol combination is correct.

For L2TP/IPSec... well, if you didn't have NAT involved you'd be correct, but the mode of IPSec used by L2TP/IPSec connections doesn't work naturally through NAT, so Microsoft use NAT-Traversal (NAT-T) which puts the ESP packet inside another UDP packet, and usually transmits this on port 4500.
So in other words, for L2TP/IPSec you probably just want UDP ports 500 and 4500.

Just to emphasize what I'm saying:
if you run L2TP/IPSec on the NAT box (firewall/gateway/router) you'd want to open UDP 500 + ESP.
If the VPN server is _behind_ the NAT box you want UDP 500 + UDP 4500.

Bob
user2008
join:2005-08-01
Canada

1 edit

user2008

Member

Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

said by user2008:

Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.
Microsoft doesn't recommend IPSec NAT-T (UDP 4500) for a VPN server behind NAT: »support.microsoft.com/kb/885348

You're likely to experience problems with clients behind NAT with IPSec/L2TP if you can't enable it though.